API Security — Basic Auth using WSO2 API Manager
Your enterprise may look like this today. If not, you are ahead of the game 👍
No one can get in or get out. It is the most secure setup/ configuration. However, it does not fit it into the modern world due to many reasons.
Modern world enterprises look like this.
Modern world enterprises take their business to the outside world. By opening it up for the outside world, will open up a lot of opportunities. You will allow consumers, partners, etc. to connect with your business using APIs using the web or mobile devices. You will have an ocean of apps developed by 3rd parties allowing consumers to access your services thereby increasing the volume of business. Considering the current calamity — COVID-19, this is the way to go.
This allows external users to come into your network thereby increases the risk. It opens up a new attack surface. This is where your backend developers would enforce some sort of security into your APIs so it can protect your valuable data sitting in the corporate datacenters.
Basic Authentication is the easiest way of authenticating your APIs. It will protect your APIs with a set of credentials.
With Basic Auth, the Consumer sends the Username and Password using Authorization HTTP Header in Base64 encoded format. It will be sent in the form of “username:password” and it will be sent with every single request. The backend server evaluates the username & password. If validation is successful, it returns 200 (OK/ Successful) and 401 (Unauthorized/ Failed) otherwise.
Basic Auth, without TLS/ HTTPS, will send the credentials in the clear text format allowing attackers to extract the credentials. If we are using Basic Auth, we must use TLS/ HTTPS to protect/ secure the transport.
Most of the enterprises today use an API Management solution to manage their APIs. An API Management solution will add a set of additional features including lifecycle management, throttling, rate-limiting, security, etc.
The WSO2 API Manager is able to authenticate requests using Basic and OAuth2 authentication schemes. In addition to using these schemes individually, it is also possible to use the OAuth2 and Basic schemes at the same time.
Basic Authentication is an API level configuration. This can be configured using the Publisher portal at the time of publishing your APIs.
Access the API Publisher and click on the API that you need to configure the Basic Authentication. Under the Application Level Security section in the Runtime Configuration of the API Details page allow users to configure the Basic Authentication as follows.
The WSO2 API Manager also allows secure your endpoint using Basic Auth and this can be done using Endpoint configuration options in the Publisher portal.
As you can see, WSO2 API Manager can handle all of the different security mechanisms including Mutual SSL, Basic Auth, OAuth2 and API Key authentication schemes.
For more information -
[2] https://apim.docs.wso2.com/en/latest/learn/design-api/endpoints/endpoint-security/basic-auth/
